User Added To Group With CA Policy Modification Access

Monitor and alert on group membership additions of groups that have CA policy modification access

Sigma rule (View on GitHub)

 1title: User Added To Group With CA Policy Modification Access
 2id: 91c95675-1f27-46d0-bead-d1ae96b97cd3
 3status: test
 4description: Monitor and alert on group membership additions of groups that have CA policy modification access
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
 7author: Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'
 8date: 2022/08/04
 9tags:
10    - attack.defense_evasion
11    - attack.persistence
12    - attack.t1548
13    - attack.t1556
14logsource:
15    product: azure
16    service: auditlogs
17detection:
18    selection:
19        properties.message: Add member from group
20    condition: selection
21falsepositives:
22    - User removed from the group is approved
23level: medium

References

Related rules

to-top